Oh no! Not another security patch Tuesday blog post!

It’s that day of the month again when security purveyors trundle out their wares and hawk their opinions and advice regarding Microsoft’s latest round of security patches. This month is no different. Conducting a search on ‘patch Tuesday’ reveals a wealth of information and advice about this month’s round of fresh vulnerabilities. You will also find advice on how to prioritize your response.

 

Our advice on this matter is pretty straightforward – patch now. We recommend that you read the advisories, understand the risks the reveal of these vulnerabilities pose for you and/or your organization and act accordingly. Don’t forget that the good guys aren’t the only ones avidly awaiting the release of this information each month. But that’s not what this post is really about.

 

I recently started working at HP Security Research, including the Zero Day Initiative (ZDI) team, after leaving Microsoft. As such, I find myself looking at “Patch Tuesday” from quite a different perspective now. Have you ever wondered where the research comes from that uncovers the vulnerabilities that get patched? ZDI researchers discover about half of all vulnerabilities Microsoft patches, including the large majority of the critical ones. This month is no different. Of the 14 critical CVEs (“[vulns] whose exploitation could allow code execution without user interaction”) being patched this month, ZDI researchers discovered and responsibly disclosed 10 of them, leading to these vulnerabilities being addressed by Microsoft and making the ecosystem safer for everyone. Not a bad result!

 

You know, if we look back at 2013 so far, we can see that ZDI researchers have been consistently fighting the good fight to uncover vulnerabilities and effectively take them off the market for the ne’er-do-wells. 

 

Chart.png

 

In case you haven’t heard of ZDI, it’s a bug bounty program that rewards security researchers for responsibly disclosing vulnerabilities in software, from any vendor. Once vulnerabilities have been reported and verified, ZDI works with vendors to ensure that these vulnerabilities are disclosed in a secure fashion so that they can be addressed. This improves the security of software overall, and helps to eliminate opportunities for exploitation.

 

It’s not just Microsoft that gets attention from ZDI researchers –our researchers are working to uncover vulnerabilities in all different kinds of software from lots of different vendors – including HP. If you’re interested in learning more about the work of ZDI and the resulting hardening of popular software, you can find our published advisories here.

 

So, yes, this was yet another Patch Tuesday post from a security software company.  But for ZDI, Patch Tuesday is one of the best days of the month – a time when we get to see the work of our researchers make an impact in an obvious way—and that’s pretty satisfying.

 

Patch now, patch often, stay safe.           


Heather Goudey
HP Security Research

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.